<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=18" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <link rel="canonical" href="https://twitter.com/1ZRR4H/status/1560662815400407040" />
    <title>Germán Fernández (@1ZRR4H): &quot;Interesting, in one of the compromised servers there is evidence of exploitation since July 29th and the installation of some kind of miner (?)

Webshell:
&#x2F;public&#x2F;6574712.jsp

Payloads:
http:&#x2F;&#x2F;95.85.72.104:447&#x2F;z.sh
http:&#x2F;&#x2F;95.85.72.104:447&#x2F;amd64

[+] https:&#x2F;&#x2F;bazaar.abuse.ch&#x2F;sample&#x2F;eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d

3&#x2F;X&quot;|nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="theme-color" content="#1F1F1F" />
    <meta property="og:type" content="photo" />
    <meta property="og:title" content="Germán Fernández (@1ZRR4H)" />
    <meta property="og:description" content="Interesting, in one of the compromised servers there is evidence of exploitation since July 29th and the installation of some kind of miner (?)

Webshell:
/public/6574712.jsp

Payloads:
http://95.85.72.104:447/z.sh
http://95.85.72.104:447/amd64

[+] https://bazaar.abuse.ch/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d

3/X" />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="image/png" href="/pic/media%2FFaiWb6fagAEe4ld.png%3Fname%3Dsmall" as="image" />
    <meta property="og:image" content="https://nitter.net/pic/media%2FFaiWb6fagAEe4ld.png" />
    <meta property="twitter:image:src" content="https://nitter.net/pic/media%2FFaiWb6fagAEe4ld.png" />
    <meta property="twitter:card" content="summary_large_image" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" alt="Logo" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/1ZRR4H/status/1560662815400407040"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <div class="icon-container"><a class="icon-cog" title="Preferences" href="/settings?referer=%2F1ZRR4H%2Fstatus%2F1560662815400407040%23m"></a></div>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread">
          <div class="before-tweet thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/1ZRR4H/status/1560006936866742281#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/1ZRR4H"><img class="avatar round" src="/pic/profile_images%2F1142488768517156864%2FAb9ueob-_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/1ZRR4H" title="Germán Fernández">Germán Fernández</a>
                        <a class="username" href="/1ZRR4H" title="@1ZRR4H">@1ZRR4H</a>
                      </div>
                      <span class="tweet-date"><a href="/1ZRR4H/status/1560006936866742281#m" title="Aug 17, 2022 · 8:53 PM UTC">Aug 17</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">🚨 Massive exploitation of CVE-2022-27925 (Zimbra Unauthenticated RCE) in progress, attackers install <a href="/search?q=%23Webshell">#Webshell</a> in /opt/zimbra/mailboxd/webapps/zimbraAdmin/ as a backdoor for later access (IAB?).

Attacks from:
66.115.189.144 🇺🇸
143.110.187.0 🇮🇳

1/X</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/orig/media%2FFaY5bV-X0AEi2ZD.png" target="_blank"><img src="/pic/media%2FFaY5bV-X0AEi2ZD.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 6</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 113</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 6</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 213</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/1ZRR4H/status/1560006941174284288#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/1ZRR4H"><img class="avatar round" src="/pic/profile_images%2F1142488768517156864%2FAb9ueob-_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/1ZRR4H" title="Germán Fernández">Germán Fernández</a>
                        <a class="username" href="/1ZRR4H" title="@1ZRR4H">@1ZRR4H</a>
                      </div>
                      <span class="tweet-date"><a href="/1ZRR4H/status/1560006941174284288#m" title="Aug 17, 2022 · 8:53 PM UTC">Aug 17</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">I can confirm <a href="/Volexity" title="Volexity">@Volexity</a>'s report and a slight increase in compromised servers, including Latin America. 

References:
[+] <a href="https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/">volexity.com/blog/2022/08/10…</a>
[+] <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-228a">cisa.gov/uscert/ncas/alerts/…</a>

2/X</div>
                <div class="attachments"><div class="gallery-row" style="">
                    <div class="attachment image"><a class="still-image" href="/pic/orig/media%2FFaY-qkYXgAApFmk.png" target="_blank"><img src="/pic/media%2FFaY-qkYXgAApFmk.png%3Fname%3Dsmall" alt="" /></a></div>
                    <div class="attachment image"><a class="still-image" href="/pic/orig/media%2FFaY-qkXXoAgpJQn.jpg" target="_blank"><img src="/pic/media%2FFaY-qkXXoAgpJQn.jpg%3Fname%3Dsmall" alt="" /></a></div>
                  </div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 8</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 16</div></span>
                </div>
              </div>
            </div>
          </div>
          <div id="m" class="main-tweet"><div class="timeline-item "><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/1ZRR4H"><img class="avatar round" src="/pic/profile_images%2F1142488768517156864%2FAb9ueob-_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/1ZRR4H" title="Germán Fernández">Germán Fernández</a>
                        <a class="username" href="/1ZRR4H" title="@1ZRR4H">@1ZRR4H</a>
                      </div>
                      <span class="tweet-date"><a href="/1ZRR4H/status/1560662815400407040#m" title="Aug 19, 2022 · 4:19 PM UTC">Aug 19</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Interesting, in one of the compromised servers there is evidence of exploitation since July 29th and the installation of some kind of miner (?)

Webshell:
/public/6574712.jsp

Payloads:
http://95.85.72.104:447/z.sh
http://95.85.72.104:447/amd64

[+] <a href="https://bazaar.abuse.ch/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d">bazaar.abuse.ch/sample/eb882…</a>

3/X</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/orig/media%2FFaiWb6fagAEe4ld.png" target="_blank"><img src="/pic/media%2FFaiWb6fagAEe4ld.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <p class="tweet-published">Aug 19, 2022 · 4:19 PM UTC · Twitter Web App</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 6</div></span>
                </div>
              </div></div></div>
        </div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>